A Framework To Handle Linear Temporal 
Properties in (cj-) Regular Model Checking 



Ahmed Bouajjani^, Axel Legay^, Pierre Wolper"^, 

^ LI A FA - Universite Paris 7 
175, rue du chevaleret 
Paris, France 

^ Universite de Rennes 1 
Institut d'informatique INRIA 
Rennes, France 

^ Universite de Liege 
Institut Montefiore, B28 
Liege, Belgium 



Abstract 

Since the topic emerged several years ago, work on regular model checking has 
mostly been devoted to the verification of state reachability and safety properties. 
Though it was known that linear temporal properties could also be checked within 
this framework, little has been done about working out the corresponding details. 
This paper addresses this issue in the context of regular model checking based on the 
encoding of states by finite or infinite words. It works out the exact constructions 
to be used in both cases, and proposes a partial solution to the problem resulting 
from the fact that infinite computations of unbounded configurations might never 
contain the same configuration twice, thus making cycle detection problematic. 



Key words: (u;-)regular model checking, transducer, semi-algorithm, simulation, 
rewrite systems, Biichi automata, framework paper. 



* The present article is an extended version of a paper which appears in the Pro- 
ceedings of [BLW04b]. 

Email addresses: abou@liafa.jussieu.fr (Ahmed Bouajjani), 
alegay@irisa.fr (Axel Legay), pw@montefiore.ulg.ac.be (Pierre Wolper). 



Preprint submitted to Elsevier Science 



26 January 2009 



1 Introduction 



At the heart of all the techniques that have been proposed for exploring in- 
finite state spaces, is a symbolic representation that can finitely represent 
infinite sets of states. In early work on the subject, this representation was 
domain specific, for example linear constraints for sets of real vectors. For 
several years now, the idea that a generic finite-automaton based represen- 
tation could be used in many settings has gained ground, starting with sys- 
tems manipulating queues and integers [WB95,BEM97,BRW98], then moving 
to parametric systems [KMM+QT], and, recently, reaching systems using real 
variables [BJW01,BHJ03]. 

Beyond the necessary symbolic representation, there is also a need to "accel- 
erate" the search through the state space in order to reach, in a finite amount 
of time, states at unbounded depths. In acceleration techniques, the move 
has again been from the specific to the generic, the latter approach being 
often referred to as regular model checking. In (a;-)regular model checking 
(see e.g. [BJNT00,DLS02,BLW04a]), the transition relation is represented by 
a finite-state transducer and acceleration techniques aim at computing the it- 
erative closure of this transducer algorithmically, though necessarily foregoing 
totality or preciseness, or even both. The advantages of using a generic tech- 
nique are of course that there is only one method to implement independently 
of the domain considered, that multidomain situations can potentially be han- 
dled transparently, and that the scope of the technique can include cases not 
handled by specific approaches. Beyond these concrete arguments, one should 
not forget the elegance of the generic approach, which can be viewed as an 
indication of its potential, thus justifying a thorough investigation. 

However, computing reachable states is not quite model-checking. For reach- 
ability properties model checking can be reduced to a state reachability prob- 
lem, but for properties that include a linear temporal component, the best 
that can be done is to reduce the mo del- checking problem to emptiness of a 
Biichi automaton [VW86], which represents all the executions of the system 
that do not satisfy the property. If this automaton is empty, then the system 
satisfies the property, else the property is not satisfied. In this framework, one 
thus has to check for repeated reachability rather than reachability. 

In this paper, we consider the specification and the verification of linear tem- 
poral properties in the (u;-)regular model checking frameworl^PI. The objective 
of the paper is to provide generic analysis techniques covering various classes 
of systems that can be encoded in this framework. 

^ In the rest of the paper, we use "(a;-)regular model checking" to denote either 
"regular model checking" or "(j— regular model checking", depending on whether 
states are encoded by finite or infinite words. 
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We fully worked out how to augment the transducer representing the system 
transitions in order to obtain a transducer encoding the Biichi automaton 
resulting from combining the system with the property. Once the transition 
relation of the Biichi automaton has been obtained, checking the automaton 
for nonemptiness is done by computing the iterative closure of this relation, 
finding nontrivial cycles between states, and finally checking for the reacha- 
bility of states appearing in such cycles. When dealing with systems where 
the number of successors of each state is bounded, an accepting execution of 
the Biichi automaton will always contain the same state twice and hence an 
identifiable cycle. However, when dealing with states whose length can grow 
or that are infinite, there might very well be an accepting computation of the 
Biichi automaton in which the same state never appears twice. 



To cope with this, we look for states that are not necessarily identical, but 
such that one entails the other in the sense that any execution possible from 
one is also possible from the other. The exact notion of entailment we use is 
simulation. For that, we compute symbolically the greatest simulation relation 
on the states of the system. 



The nice twist is that the computation of the symbolic representation of the 
simulation relation is in fact, the computation of the limit of a sequence 
of finite-state automata, for which the acceleration techniques introduced in 
[BLW03,BLW04a,Leg07] can be used. However, there are also several cases 
where this computation converges after a finite number of steps, which has 
the added advantage of guaranteeing that the induced simulation equivalence 
relation partitions the set of configurations in a finite number of classes, and 
hence that existing accepting computations will necessarily be found, which 
might not be the case when the number of simulation equivalence classes is 
infinite. 



Structure of the paper. The paper is structured as follows. In Section 2, we 
recall the elementary definitions on automata theory that will be used through- 
out the rest of the paper. Section 3 presents the (ci;-)regular model checking 
framework as well as a methodology to reason about infinite executions. In 
Sections 4, 5, 6, and 7, the verification of several classes of linear temporal 
properties in the (ci;-)regular model checking framework is considered. Finally, 
Sections 8 and 9 conclude the paper with a comparison with other works on 
the same topic and several directions for future research, respectively. 
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2 Background on Automataa Theory 

In this section, we introduce several notations, concepts, and definitions that 
will be used throughout the rest of this paper. The set of natural numbers is 
denoted by N, and No is used for N \ {0}. 

2.1 Relations 

Consider a set S, a set 5*1 C S, and two binarjO] relations Ri, R2 ^ SxS. The 
identity relation on S, denoted Rfj^ (or Rid when S is clear from the context) 
is the set {(s, s)|s e S}. The image of 5*1 by denoted Ri{Si), is the set 
{s' G I (3s G S'i)((s,s') G Ri)}- The composition of Ri with R2, denoted 
R2 o Ri, is the set {(s, s') \ (3s")((s, s") e Ri A {s", s') G i?2)}- The ith power 
of Ri {i G No), denoted R\, is the relation obtained by composing Ri with 
itself i times. The zero-power oi Ri, denoted R^, corresponds to the identity 
relation. The transitive closure of -Ri, denoted Ri , is given by [j^izf°° R\, its 
reflexive transitive closure, denoted R*, is given by Rf U Rf^- The domain of 
Ri, denoted Dom{Ri), is given by {s G 5 | (3s' G 5')((s, s') G i?i)}. 

^.^ Words and Languages 

An alphabet is a (nonempty) finite set of distinct symbols. A finite word of 
length n over an alphabet S is a mapping w : {0, . . .,n — 1}^S. An infinite 
word , also called cu— word, over S is a mapping w : N— We denote by the 
term word either a finite word or an infinite word, depending on the context. 
The length of the finite word w is denoted by \w\. A finite word w of length 
n is often represented hj w = w{0)- ■ ■w{n — 1). An infinite word w is often 
represented by w{Q)w{l) - ■ ■ . The sets of finite and infinite words over S are 
denoted by S* and by S"", respectively. We define S°° = S* U S"". A finite- 
word (respectively infinite-word) language over S is a (possibly infinite) set of 
finite (respectively, infinite) words over S. Consider Li and L2, two finite-word 
(resp. infinite-word) languages. The union of Li and L2, denoted Li U L2, is 
the language that contains all the words that belong either to Li or to L2. 
The intersection of Li and L2, denoted Li fl L2, is the language that contains 
all the words that belong to both Li and L2. The complement of Li, denoted 
Li is the language that contains all the words over S that do not belong to Li. 

We alos introduce synchronous product and projection, which are two oper- 
ations needed to define relations between languages. 

^ The term "binary" will be dropped in the rest of the paper. 
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Definition 1 Consider Li and L2 two languages overTi. 

• If Li and L2 are finite-word languages, the synchronous product Li x L2 of 
Li and L2 is defined as follows 

L1XL2 = {{w{0),w{Oy)...{w{n),w{ny) \ 
w = w{0)w{l). . .w{n) e LiAw' = ty(0)'w(l)'. . .w(n)' G L2}. 

• If Li and L2 are u -languages, the synchronous product L1XL2 of Li and L2 
is defined as follows 

L,xL2 = {iw{0),wi0y)iwil),w{l)'y--\ 
w = w{0)w{l). ..eLiAw' = w(0)'w(l)'- ■ ■ e L2}. 

The language L1XL2 is defined over the alphabet S^. 

Definition 1 directly generalizes to synchronous products of more than two 
languages. Given two finite (respectively, infinite) words wi,W2 (with = 
\w2\ if the words are finite) and two languages Li and L2 with Li = {wi} and 
L2 = {W2}, we use W1XW2 to denote the unique word in L1XL2. 

Definition 2 Suppose L a language over the alphabet and a natural 1 <i <n. 
The projection of L on all its components except component i, denoted Il^i{L) , 
is the language L' such that 

n^i(L) = {wiX . . . XWi-iXWi+iX . . . XWn \ 
{3Wi){wiX . . . XWi^iXWiXWi+iX . . . XWn & L)} . 

2.3 Automata 

Definition 3 An automaton over is a tuple A = [Q, S, Qo, A, F), where 

• Q is a finite set 0/ states, 

• is a finite alphabet, 

• Qq (Z Q is the set of initial states, 

• ACQxExQisa finite transition relation, and 

• F C Q is the set of accepting states (the states in Q\F are the nonaccepting 
states). 

Let A = {Q, S, Qo, A, F) be an automaton and a G S. If (gi, a, ^2) £ A, then 
we say that there is a transition from qi (the origin) to q2 (the destination) 
labeled by a. We sometimes abuse the notations, and write q2 G A(gi,a) 
instead of (gi,a, ^2) £ A. Two transitions {qi,a,q2), {q3,b,qi) G A are con- 
secutive if q2 = qs- Given two states q,q' & Q and a finite word w G S*, we 
write (g, w, q') G A* if there exist states qo, . . . ,qn and w{0), . . . , w{n — 1) G S 
such that go = Q, Qn = q', w = w{0)w{l) ■ ■ ■ w{n — 1), and (g^, w{i), g^+i) G A 
for all < i < n — 1. Given two states g, g' G Q, we say that the state g' is 
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reachable from g in A if (g, a, q') G A*. The automaton A is complete if for 
each state q E Q and symbol a G E, there exists at least one state q' E Q such 
that (g, a, g') G A. An automaton can easily be completed by adding an extra 
nonaccepting state. 

A finite run of A on a finite word w : {0, . . .,n — 1}^S is a labeling p : 
{0, . . .,n}^Q such that p(0) G Qo, and (VO<z<n - l)((p(z), ^(i), p(i + 1)) G 
A). A finite run p is accepting for w if p{n) G -F. An infinite run of A on an 
infinite word w : N— i>E is a labeling p : such that p(0) G Qq, and 

(VO < z)((p(z), p(z + 1)) G A). An infinite run p is accepting for it; if 
inf{p) n F 7^ 0, where inf{p) is the set of states that are visited infinitely 
often by p. 

We distinguish between finite-word automata that are automata accepting 
finite words, and Biichi automata that are automata accepting infinite words. 
A finite-word automaton accepts a finite word w if there exists an accepting 
finite run on w in this automaton. A Biichi automaton accepts an infinite word 
w if there exists an accepting infinite run on w in this automaton. The set 
of words accepted by A is the language accepted by A, and is denoted L{A). 
Any language that can be represented by a finite-word (respectively, Biichi) 
automaton is said to be regular (respectively, u-regular). 

The automaton A may behave nondeterministicaly on an input word, since it 
may have many initial states and the transition relation may specify many pos- 
sible transitions for each state and symbol. If |Qo| = 1 and for all state gi G Q 
and symbol a G S there is at most one state g2 G Q such that (gi, a, g2) G A, 
then A is deterministic. In order to emphasize this property, a deterministic 
automaton is denoted as a tuple (Q, S, go, 5, F), where go is the unique initial 
state and 5 : Q x Tj ^ Q is a, partial function deduced from the transition 
relation by setting (5(gi,a) = g2 if (gi,a,g2) G A. Operations on languages 
directly translate to operations on automata, and so do the notations. 

One can decide weither the language accepted by a finite-word or a Biichi 
automaton is empty or not. It is also known that finite- word automata are 
closed under determinization, complementation, union, projection, and inter- 
section [Hop71]. Moreover, finite- word automata admit a minimal form, which 
is unique up to isomorphism [Hop71]. 

Though the union, intersection, synchronous product, and projection of Biichi 
automata can be computed efficiently, the complementation operation requires 
intricate algorithms that not only are worst-case exponential, but are also hard 
to implement and optimize (see [Var07] for a survey). The core problem is that 
there are Biichi automata that do not admit a deterministic/minimal form. 
To working with infinite-word automata that do own the same properties as 
finite-word automata, we will restrict ourselves to weak automata [MSS86] 
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defined hereafter. 



Definition 4 For a Biichi automaton A = (S, Q, go, S, F) to be weak, there 
has to be partition of its state set Q into disjoint subsets Qi, . . . , Qm such that 
for each of the Qi, either Qi C F , or QiCi F = 0, and there is a partial order 
< on the sets Qi, . . . , Qm such that for every q & Qi and q' G Qj for which, 
for some a ^H, q' & ^(9, a) (q' = S{q,a) in the deterministic case), Qj < Qi. 



A weak automaton is thus a Biichi automaton such that each of the strongly 
connected components of its graph contains either only accepting or only non- 
accepting states. 

Not all cj-regular languages can be accepted by deterministic weak Biichi au- 
tomata, not even by nondeterministic weak automata. However, there are 
algorithmic advantages to working with weak automata : deterministic weak 
automata can be complemented simply by inverting their accepting and non- 
accepting states; and there exists a simple determinization procedure for weak 
automata [Saf92] , which produces Biichi automata that are deterministic, but 
generally not weak. Nevertheless, if the represented language can be accepted 
by a deterministic weak automaton, the result of the determinization proce- 
dure will be inherently weak according to the definition below [BJWOl] and 
thus easily transformed into a weak automaton. 



Definition 5 A Biichi automaton is inherently weak if none of the reachable 
strongly connected components of its transition graph contain both accepting 
(visiting at least one accepting state) and non-accepting (not visiting any ac- 
cepting state) cycles. 



This gives us a pragmatic way of staying within the realm of deterministic 
weak Biichi automata. We start with sets represented by such automata. This 
is preserved by union, intersection, synchronous product, and complementa- 
tion operations. If a projection is needed, the result is determinized by the 
known simple procedure. Then, either the result is inherently weak and we 
can proceed, or it is not and we are forced to use the classical algorithms for 
Biichi automata. The latter cases might never occur, for instance if we are 
working with automata representing sets of reals definable in the first-order 
theory of linear constraints [BJWOl]. 

A final advantage of weak deterministic Biichi automata is that they admit a 
minimal form, which is unique up to isomorphism [LodOl]. 



7 



2-4 Transducers 



In this paper, we will consider relations that are defined over sets of words. 
We use the following definitions taken from [NilOl]. For a finite- word (respec- 
tively, infinite- word) language L over S", we denote by [LJ the finite- word 
(respectively, infinite-word) relation over S" consisting of the set of tuples 
{wi, W2, ■ . ., Wn) such that wiXW2y< ■ ■ ■ y<Wn is in L. The arity of such a rela- 
tion is n. Note that for n = 1, we have that L = [LJ. The relation Ri^ is the 
identity relation, i.e.. Rid = {(w^i, 102, ■ ■ ., Wn)\'Wi = W2 = ■ ■ ■ = Wn}- A relation 
R defined over S" is 

(u- jregular if there exists a (ci;-)regular language L over S" such that [LJ = R. 

We now introduce transducers that are automata for representing (a;-)regular 
relations over S^. 

Definition 6 A transducer over is an automaton T over given by 

(Q,s^ 

Qo, A,F), where 

• Q is the finite set of states, 

• is the finite alphabet, 

• Qq C Q is the set of initial states, 

• A : Q X Tj'^ X Q is the transition relation, and 

• F C Q is the set of accepting states (the states that are not in F are the 
nonaccepting states). 

Given an alphabet S, the transducer representing the identity relation over 
is denoted (or Tj^ when S is clear from the context). All the concepts and 
operations defined for finite automata can be used with transducers. The only 
reason to particularize this class of automata is that some operations, such as 
composition, are specific to relations. In the sequel, we use the term "trans- 
ducer" instead of "automaton" when using the automaton as a representation 
of a relation rather than as a representation of a language. We sometimes 
abuse the notations and write (^1,^2) G T instead of (^1,^2) G [L(T)\. 
Given a pair (^1,^2) G T, Wi is the input word, and W2 is the output word. 
The transducers we consider here are often called structure-preserving, which 
means that when following a transition, a symbol of the input word is replaced 
by exactly one symbol of the output word. 

Given two transducers Ti and T2 over the alphabet S that represents two rela- 
tions Ri and R2, respectively. The composition of Ti by T2, denoted T2 o Ti is 
the transducer that represents the relation R20R1. We denote by T{ (i G No) 
the transducer that represents the relation R\. The transitive closure of T is 
T"*" = {J^i T*; its reflexive transitive closure is T* = T"*" U Tj^. The transducer 
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T is reflexive if and only if L{Tid) C L(T). Given an automaton A over S 
that represents a set S, we denote by T{A) the automaton representing the 
image of A by T, i.e., an automaton for the set R{S). 

Let Ti and T2 be two finite-word (respectively, Biichi) transducers defined 
over and let A be a finite-word automaton (respectively, Biichi) automa- 
ton defined over S. We observe that T2 o Ti = 7r^2[(Ti xT;^) n (T^^xTa)] and 
T{A) = 7r^i[(y4^xS) n T], where A^ is an automaton accepting S* (respec- 
tively, S"^). As a consequence, the composition of two finite-word ((weak) 
Biichi) transducers is a finite-word transducer. However, the composition of 
two deterministic weak Biichi transducer is a weak Biichi transducer whose 
deterministic version may not be weak. A same observation can be made about 
the composition of a transducer with an automaton. 



3 Systems models and (c<j) -Regular Model Checking 

3.1 The Framework 

In this section, we recall the definition of state-transition system, that is the 
abstraction formalism which is generally used to describe programs. We then 
present an automata-based encoding of state-transition systems. Finally, the 
properties of this encoding are discussed. 

3.1.1 State-transition Systems 

Systems are often modeled as state-transition systems. 
Definition 7 A state-transition system is a tuple {S,So,R), where 

• S is a (possibly infinite) set 0/ states, 

• Sq S is a (possibly infinite) set 0/ initial states, and 

• R(^SxSisa (possibly infinite) reachability relation that describes the 
transitions between the states of the system. 

Let T = {S,So,R) be a state-transition system. If (s, s') G R, then we say 
that there is a transition from s (the origin) to s' (the destination). Given 
two states s, s' G S, we write s—^r s' if and only if (s, s') E R. A state 
s' G S* is said to be reachable from a state s G S* if there exists k > 
and states sq, si, S2, . . ., Sk-i G S such that sq = s, Sk-i = s' and Sj— 
for all 0<i < k — 1. The fact that (s, s') belongs to the reflexive transi- 
tive closure R* of R is denoted by s— s'. A state s G 5 is reachable if 
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it is reachable from a state in 5*0 . The set of all reachable states of T is 
denoted S"^. The state space (S'J, of T is the (possibly infinite) graph 
whose nodes are the reachable states of T, and whose edges R]^ are given by 
R n (S^ X S'J). We say that T is finite if S]^ is finite, it is infinite otherwise. 
T is said to be locally-finite if and only if any executions from any state in 
can only goes thought a finite number of distinct states. A finite execution 
TT of T is a mapping vr : {0, . . . ,n — 1} S such that 7r(0) G Sq and for 
all < z < n — 1, 7r{i) 7r{i + 1). A finite execution is often represented 
by TT = 7r(0)7r(l)7r(2). . .7r{n — 1). An infinite execution vr of T is a mapping 
TT : N ^ S such that 7r(0) G 5*0 and for all i>0, 7r(z) 7r(z + 1). An infinite 
execution is often represented by vr = 7r(0)7r(l)7r(2) .... In the rest of this 
paper, we consider systems whose executions are all infinite. 

One distinguishes between two types of properties. 

(1) Reachability properties. We assume that a reachabihty property ip is de- 
scribed as a set of states C S. The system T satisfies ip if and only 
if S]^ ^ S^. Verifying reachability properties thus reduces to computing 
the set of reachable states. 

(2) Linear temporal properties. We assume that a linear temporal property 
ifi is described as a set of executions vr^, which are often represented by 
a Biichi automaton. The system T satisfies ip if and only if each of its 
executions belongs to tt^. In general, the verification of linear temporal 
properties does not reduce to the computation of the set of reachable 
states of the system. 



3.1.2 (uj)-Regular Model Checking 

In this paper, we suppose that states of state-transition systems are encoded 
by words over a fixed alphabet. If the states are encoded by finite words, then 
sets of states can be represented by finite-word automata and relations be- 
tween states by finite-word transducers. This setting is referred to as regular 
model c/iecA;mg' [KMM"'"97,WB98]. If the states are encoded by infinite words, 
then sets of states can be represented by deterministic weak Biichi automata 
and relations between states by deterministic weak Biichi transducers. This 
setting is referred to as uj-regular model checking\Q\J\MQ4:a\. Formally, a finite 
automata-based representation of a state-transition system can be defined as 
follows. 



Definition 8 A (ci;-)regular system for a state-transition system T = {S, Sq, R) 
is a triple M = (L, Asg,Tji) , where 
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• H is a finite alphabet over which the states are encoded as finite (respectively 
infinite) words; 

• Asg is a deterministic finite-word (respectively deterministic weak Biichi) 
automaton over E that represents Sq; 

• Tfi is a deterministic finite-word (respectively deterministic weak Biichi) 
transducer over that represents R. 

States being represented by words, the notion of set of states, initial states, 
reachability relation, computation, reachable state, locally-finite for (u;-)regular 
systems are defined identically to those of the corresponding state-transition 
system. There are many state-transition systems whose sets of states cannot 
be encoded by (a;)-regular language Consequently, there are many state- 
transition systems for which there exists no corresponding (u;-)regular system. 

In the finite-word case, an execution of the system is an infinite sequence 
of same- length finite words over S. The regular model checking framework 
was first used to represent parametric systems [AJMd02,KMM+97,ABJN99]. 
The framework can also be used to represent various other models, which 
includes linear integer systems [WB95,WB00], FIFO-queues systems [BG96] , 
XML specifications [BHRV06,Td06], and heap analysis [BHMV05,BHRV06]. 

We now give insight about how to represent parametric systems. Let P be 
a process represented by a finite state-transition system. A parametric system 
for P is an infinite family S = {>S'„}^q of networks where for a fixed n, Sn is 
an instance of S, i.e. a network composed of n copies of P that work together 
in parallel. In the regular model checking framework, the finite set of states 
of each process is given as an alphabet S. Each state of an instance of the 
system can then be encoded as a finite word w = w{0). . .w{n — 1) over E, 
where w{i — 1) encodes the current state of the ith copy of P. Sets of states 
of several instances can thus be encoded together by finite-word automata. 
Observe that the states of an instance Sn are all encoded with words of the 
same length. Consequently, relations between states in Sn can be represented 
by binary finite-word relations, and eventually by transducers. 

Example 9 Consider a simple example of parametric network of identical 
processes implementing a token ring algorithm. Each of these processes can 
be either in idle or in critical mode, depending on whether or not it owns 
the unique token. Two neighboring processes can communicate with each other 
as follows: a process owning the token can give it to its right-hand neighbor. 
We consider the alphabet S = {N,T}. Each process can be in one of the two 
following states : T (has the token) or N (does not have the token). Given 
a word G S* with \w\ = n (meaning that n processes are involved in the 



Indeed, there are uncountably many subsets of an infinite set of states, but only 
countably many finite strings of bits. 
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execution), we assume that the process whose states are encoded in position 
w{0) is the right-hand neighbor of the one whose states are encoded in po- 
sition w{n — 1). The transition relation can be encoded as the union of two 
reachability relations that are the following: 

• (iV, N)*{T, N){N, T){N, N)* to describe the move of the token from w{0) to 
w{n — 1), and 

• {N,T){N, N)*{T, N) to describe the move of the token from w{n — 1) to 
w{0). 

The set of all possible initial states where the first process has the token is 
described by TN*. 

In the infinite-word case, an execution of the system is an infinite sequence of 
infinite words over S. The tu-regular model checking framework has been used 
for handling systems with both integer and real variables [BW02,BJW05], such 
as linear hybrid systems with a constant derivative (see examples in [ACH+95] 
or in [BLW04b,Leg07]). 

Verifying reachability properties of state-transition systems using their (u;- 
)regular representation can easily be conducted with simple automata-based 
manipulations, assuming the existence of finite-word (respectively weak Biichi) 
automata for representing both the set of reachable states and the property. 
Computing an automaton that represents the set of reachable states can be 
reduced to the (u- jregular reachability problems defined hereafter. 

Definition 10 Let A be a deterministic finite-word (respectively weak Biichi) 
automaton, and T be a deterministic finite-word (respectively weak Biichi) 
transducer. The (uj-)regular reachability problems for A andT are the follow- 
ing: 

(1) Computing T*{A): the goal is to compute a finite- word (respectively weak 
Biichi) automaton representing T*{A). If A represents a set of states S 
and T a relation R, then T*{A) represents the set of states that can be 
reached from S by applying R an arbitrary number of times; 

(2) Computing T*: the goal is to compute a finite-word (respectively weak 
Biichi) transducer representing the reflexive transitive closure of T . If T 
represents a reachability relation R, then T* represents its closure R* . 

Being able to compute T*{A) is clearly enough for verifying reachability prop- 
erties. On the other hand, we will see that the computation of T* is generally 
incontrovertible when considering the verification of temporal properties. In 
the rest of this paper, we propose techniques that reduce the verification of 
several classes of linear temporal properties to the resolution of the (u;-)regular 
reachability problems over an augmented system. 
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3.2 On Solving (uj-)Regular Reachability Problems 

Among the techniques to compute T*{A) and T*, one distinguishes between 
domain specific and generic techniques. Domain specific techniques exploit the 
specific properties and representations of the domain being considered and 
were for instance obtained for systems with FIFO-queues in [BG96,BH97], for 
systems with integers and reals in [Boi99,BW02,BHJ03], for pushdown sys- 
tems in [FWW97,BEM97], and for lossy queues in [AJ96]. Generic techniques 
consider automata-based representations and provide algorithms that operate 
directly on these representations, mostly disregarding the domain for which it 
is used. There are various generic techniques to computing T*{A) and T* when 
considering T and A to be finite-word automata (e.g. [BJNT00,DLS02,BLW03]) 
The cj-regular reachability problems can be addressed with the technique in- 
troduced in [BLW04a]. 



3.3 Convention, Concepts, and Observations 

This section introduces some concepts and observations that will be used 
throughout the rest of the paper. We first introduce Biichi (uj- jregular systems. 

Definition 11 A Biichi (uj-)regular system is a tuple {M,F), where M = 

Tr) is a (uj-)regular system, and F is a deterministic finite- word (resp. deter- 
ministic weak Biichi) automaton called the Biichi acceptance condition. 

The notions of set of states, initial states, reachability relation, computation, 
reachable state, and locally-finite for Biichi (a;-)regular system (M, F) are de- 
fined exactly as those of its underlying (ci;-)regular system M = (E, Aso,Tr). 
An infinite computation vr = 7r(0)7r(l) ... of (M, F) is accepting if and only 
if there are infinitely many i such that 7r{i) G L{F). We say that {M,F) is 
empty if all its infinite executions are non-accepting. In the rest of the paper, 
we abuse the notations and write (S, Aso,Tr, F) instead of (M, F). 

We now reason on infinite executions. Consider a (u;-)regular system M = 
{12, Asg,Tji) that encodes a state-transition system T = {S,So,R). The fact 
that Tji is structure-preserving does not imply that M is locally-finite. Indeed, 
as it is illustrated with the following example, each state of T can potentially 
be associated to an infinite set of encodings. 

Example 12 Following the framework of [WBOO], the digit 5 can be encoded 
in base 2 as 0101, or as 00101, or as 000101, and in fact by any word in 
the set 0+101. 



13 



By definition, parametric systems are always locally-finite. Indeed, the number 
of finite-state processes is fixed during the whole execution. This makes it 
impossible to visit an infinite number of different states. Most other classes 
of infinite-state systems can either be locally-finite or not, depending on their 
specifications. 

Example 13 An integer system that continuously adds 1 to a variable x up 
to a constant value is locally-finite. However, if there is no bound on the value 
of X, then the system is not locally-finite. 

Unfortunately, testing whether a system is locally-finite is an undecidable 
problem. As a consequence only partial solutions can be proposed. In the rest 
of this section, we propose such a solution that is based on a reduction to the 
(cij)-regular reachability problems over an augmented system. Our solution is 
formalized with the following theorem. 

Theorem 14 Consider a state-transition system T = [S, So, R) and the fol- 
lowing sets 

• = SoX {0}, 

• R'^ = {((s, z), is', t + N)((s, s')eR\ R.d)}, 

. Sif = {seS I 32,V(j > z),^3s'i{s,0), {s',j)) e m*}- 

If Sq C Sif, then T is locally- finite. 
PROOF. Direct by construction. 

The procedure sketched above requires to compute the set Sif. In the [uj- 
)regular model checking framework, this computation can easily be performed 
when both [R"")* and Sq represent solutions of Presburger arithmetic formu- 
las [WB00,BJW05]. 



4 Linear Temporal Properties in Regular Model Checking 

4.1 Definitions 

In this section we propose a methodology to verify linear temporal properties 
of state-transition systems that are represented in the regular model checking 
framework. Our first step is a symbolic representation for linear temporal 
properties in this framework. We propose the following definitions. 
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Fig. 1. Global system properties: an illustration. 

Definition 15 Given an alphabet S, a state property is a set cop C S* that 
can be represented by a finite-word automaton. 

Definition 16 Let COP be a finite set of state properties. A global system 



property over COP is a set gsp C (2 



COP\uj 



i.e. a set of infinite sequences of 



state properties, that can be represented by a Biichi automaton. 

Assume a set of state properties COP, and a global system property gsp de- 
fined over COP. An execution vr = woWiW2W3Wi ... of a regular system M 
satisfies gsp, denoted vr |= gsp, if and only if cop(wo)cop(wi) ■ ■ ■ G gsp, where 
cop(w) = {copi G COP I w \= copi}. We say that M satisfies gsp, denoted 
M 1= gsp, if and only if all its executions satisfy the property. 



The definition of global system properties is illustrated in Figure 1. 

Remark 17 Any Linear Temporal Logic propertjQ (LTL in short) whose 
atomic propositions are represented by sets of states is thus a global system 
property. The set of LTL properties whose atomic propositions are represented 
by sets of states is a strict subset of the set of global system properties. 



4.2 Verification 



Assume a regular system M = (S, As^, Tr), a set of state properties COP = 
{copi , . . . copk}, and a global system property gsp defined over COP. Suppose 

^ We assume the reader is familiar with the syntax, the semantic, and the notations 
of the linear temporal logic introduced in [Pnu77]. We recall the shortcuts for the 
temporal operators that are □ for "always" , O for eventually, and Q foi^ "next" . 
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that each copi G COP is represented by a complete deterministic finite-word 
automaton A^opi = {Qcopri S, gocopi) ^copi, Fcopi)- We extend the automata theo- 
retic approach of [VW86] towards a semi-algorithm to test whether M satisfies 
gsp. Our approach consists in three successive steps that are the following: 

(1) Computing a complete Biichi automaton A^gsp = (Q^gsp, 2*"'^^, go-,gsp! 

representing the negation of the property gsp, i.e. 
(2^o^)- \ gsp; 

(2) Building a Biichi regular system M!^ggp = (S", Ag^jT^, F") whose accept- 
ing executions correspond to those of M that are accepted by A^g^p] 

(3) Testing whether M^^^^ is empty or not. By construction, M satisfies gsp 
if and only if M^g^^ is empty. 

The property gsp being (by definition) representable by a Biichi automaton, 
one can always compute the automaton A^g^p. We now focus on the two other 
problems. The system M!^ggp can be built by taking the product between the 
states of M and those of A^g^p. Given w, w' G S* and q^gsp, Q'-^gsp ^ Q^gsp, 
the product must ensure that one can move from the pair [w, q^gsp) to the 
pair {w',q'^g^p) if and only if (1) {w,w') G Tr, and (2) {q^gsp,cop{w),q'^g^p) G 
A-,gsp- Since the set of states of M may be infinite, we have to work with 
a symbolic representation of cop. We propose to represent cop implicitly by 
associating to each pair [w, q) the set COPi such that cop{w) = COPi. Hence 
a state of the product is now a triple {w,q^gsp, COPi) such that (1) w G S*, 
(2) q^gsp G Q^gsp, and (3) cop(w) = COPi. Each triple {w,q^gsp, COPi) has 
to be encoded by a finite word over an extended alphabet. The solution is to 
label the last symbol of w with COPi and q^gsp, and the other symbols by _L. 
Hence, we define the augmented alphabet to be 



S'^ = S X {Q^g,p U {±}) X (2^^^ U {±}). 

Given a word w"" G (S")*, we denote by IIy,{w°'), the word w G S* obtained 
from w"" by removing all the symbols that do not belong to S. As an exam- 
ple, given = (w(0), ±, ±)(w(l), ±, ±) ■ ■ ■ {w{n - 1), g. A) with q G Q^gsp, 
A G 2^^^,Hs(w'^) =w{0)w{l)---w{n-l). 

An execution vr" = WgW^wf ... of M^g^^ is an infinite sequence of finite words 
over S". This sequence has to satisfy the following four requirements: 

(1) For each i>l (Hs(tyf_;^), Hs(u'^)) G Tr, which ensures that the transi- 
tions of M!^g^p are compatible with the transition relation of M; 

(2) For each i > 0, < G (S x ± x ±)*(S x Q^g^p x 2^^^); 

(3) For each i > and = {wi{0), ±, ±){wi{l), ±, ±) ■ ■ ■ {wi{n-l), qi^gsp, COPi), 
cop(Hs«)) = COPf, 

(4) For each i>l and w1_-^ = (wi_i(0), ±, ±, ±) ■ ■ ■ (wi_i(n — 
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1), qi-i^gsp, COP.^i), and wf = (^^(0), ±, l.){wi{l), -L, -L) ■ ■ ■ {wi{n - 1), 
(li^gsp, COPi), we have {qi-i^gsp, COPi^u Qi^gsp) e A^g^p, this to ensure 
that the infinite sequence of labelhngs from 2"^*^^ and Q^gsp form a run 
of the automaton A^ggp. 

We have to build automata for and in such a way that the four 

requirements above are satisfied. 

Let Tr = {Qr, T?, qoR, 6r, Fr), the transducer = {Q%, (S")^, q-^, A% F^) 
is built as follows: 

• The set of states Qr is Qr = Qr x ni<j<fc Qcopi x {0, 1}, the last Boolean 
being used to remember if non ± labellings have been seen and ni<i<fc Qcopi 
is used to run the automata representing the state properties, this to ensure 
that each state of M^^^^ is associated to the set of state properties it satisfies; 

• The initial state is g^^ = {qoR, qocop^^ • • • > Qocop^^O)'^ 

• The transition relation is defined by 

(q'w 9cop^^ • • • > 9copf,^b') e A^((gR, gcopi, • • • , qcopk,b), ((ai, ai, Ai), (02, 02, A2))) 
if and only if 

■ q'R G 6R{qR, (ai, 02)) and q'^^^^ = 4op,(gcop., Oi), for 1 < i < fc, 

■ 6' = 1 if and only if Ai, ai, A2, and 02 are not equal to _L and, in this 
case, a2 G A^gsp{ai, Xi), which checks that we have a run of A^ggp and, 
for 1 < z < fc, q'^gp. G Fcop^ if and only if copi G Ai, which checks that 
the label Ai matches the result of running the automata A^opi on the state 
(this justify the need for each A^opi to be deterministic and complete); 

• The set of accepting states F^ is defined as Fr x ni<i<fc Qcopi X {I}- 

The definition of ensures that requirements (1) (3) and (4) are satisfied. 

The set of initial states of M"„„„ contains states of the following form: 

(u;(0), ±, ±) ■ ■ ■ (win - 2), ±, - 1), go.,.p, A), 

where w{0) ■ ■ ■w{n — 1) G L{Asf^) and A is any element of 2"^*^^. This defi- 
nition combined with the one of ensures that the second requirement on 
the executions of M!^ggp is always satisfied. The set of initial states can be 
represented by a finite- word automaton that is given by A^^xA^, where 
A± is the automaton representing the set (± x ±)*(go^gsp x 2'-"^^). 

The set of accepting states of M^^^^ is defined as follows: 
(Sx{±}x{±})*(SxF.,,pX2^°0. 
We directly see that this set can be represented by a finite-word automaton 
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Theorem 18 The Biichi regular system M!^^^^ has an accepting execution of 
the form n'^ = 7r"(0)7r'^(l) ... if and only if the execution vr = W0W1W2 ... of 
M, where Wi = n2(vr'^(i)) (\fi), does not satisfy gsp. 

PROOF. Follows from the construction above. 

The next step is to test whether M^^^^ is empty or not. If M is locally- finite, 
then M'^g^p is also locally-finite and checking the emptiness of M^^^^ can be 
reduced to solving the regular reachability problems. We have the following 
result. 

Proposition 19 // M^^j,^ is locally finite, then it is empty if and only if 

PROOF. Directe by observing that since M?:^^^^ is locally-finite, any of its 
accepting execution must repeatly reach a given state in F". 

If M^ggp is not locally-finite, then we cannot reduce the problem of deciding if 
it has an infinite accepting execution to the one of finding reachable accepting 
loops. Indeed, in this case, an infinite execution could never visit the same 
state twice. Therefore, our approach is to search for a reachable state w from 
which it is possible to nontrivially reach some state w' such that (1) the path 
from w to w' visits a repeating state of A^gsp, and (2) w' has at least the 
same execution paths as w. To check the condition (2), we check actually for 
a stronger condition which is the fact that w' must simulate w. 

We define the greatest simulation relation over M^^^^ which is compatible with 
the set of state properties COP to be the relation Sim defined as the limit of 
the (possibly infinite) decreasing sequence of relations Simo, Simi, Sim2, . . . 
with 

Sznio = {«, <)} I w^xw^ G (S" X S'^)* A cop(ns«)) = cop(ns(u;2)) (1) 
Simk+i = Sinik fl {(w", W2) € Siruk \ (2) 
Vw^.(K,m;^) e ^ 3w2.{wlw2) G A K, w^) G Simk)},\/k G N 

The complement of Sim, denoted -^Sim, is the set {(^^,^2) | {wiXW2 G 
(E" X S'^)*) A 

^ Sim))}. The greatest simulation equivalence over M^^^^ which 
is compatible with COP is the relation Sim = Sim fl Sim~^. Observe that 
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Simo can be represented by a finite-word transducer over the alphabet (E°)^. 
Since, for each k>0, the relation Sirrik+i is defined in terms of the relations 
[L(T^)] and Sinik using Boolean operations and projections (needed to apply 
the quantifiers), it can be represented by a finite- word transducer over the 
alphabet (S'^)^. Moreover, if Sirrik can be represented by a transducer, then 
its complement and inverse can also be represented in the same way. 

Assume that Sim and (S'*)* are respectively represented by a transducer Tsim 
and an automaton A^'^"'^* . We have the following result. 

Proposition 20 // 

then M'^ggp has an infinite execution that does not satisfy gsp. 

PROOF. The set L(n^2((Tg)+ n (A^^")* xF") n Ts^m)) is the set of states w 
from which it is possible to reach an accepting state w' such that w' simulates 
w. Since w' simulates w, one can reach from w' an other accepting state w" 
that simulates w' and, inductively, there exists an execution that infinitely 
often goes through an accepting state. 

The main issue is now to determine whether the iterative computation of Sim 
terminates and can be represented by an automaton. We consider the two 
following cases. 

4-2.1 Exact Analysis 

We say that M'^^^^ has a finite-index simulation if the simulation equivalence 
Sim has a finite number of equivalence classes. The following lemma is quite 
st r aight forward . 

Lemma 21 The iterative computation of the simulation relation Sim termi- 
nates if and only if M^^^^ has a finite-index simulation. 

If M'^ggp has a finite-index simulation equivalence, then every infinite execution 
of M!^g^p must visit infinitely often some of the equivalence classes. Therefore, 
we have the following proposition. 

Proposition 22 Assume that the system M^^^^ has a finite-index simulation. 
M'^gsp has an accepting execution if and only if 
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However, the system M^^^^ is in general not finite-index simulation. Moreover 
this property is undecidable. Therefore, we adopt an approach based on the 
use of over /lower approximations of Sim. 

4-2.2 Using lower approximations: 

Instead of computing the decreasing sequence of relations {Sirrii : z G N), 
we can compute the increasing sequence of their negations {-iSirrii : i G N). 
Then, the computed sequence of relations is actually an increasing sequence 
of relations {Ni : i G N) such that for every i > 0, Ni = -iSirrii. Since each Ni 
can be represented by a transducer, we can use the extrapolation-based tech- 
nique of [BLW03,BLW04a,Leg07]. The technique can compute an automaton 
that represents an extrapolation N'^* of the limit Ui=o^°° Ni by observing finite 
prefixes of the sequence Nq, Ni, N2, . . . . A sufficient criterion to test whether 
this extrapolation is safe (does it contain the limit?) consists in applying one 
more time the construction that builds Sinik+i from Sirrii to the complement 
of A^^* , and then check if the complement of the result we obtain is included 
in N'^* . We can use the technique of [BLW03,BLW04a,Leg07] to compute an 
upper approximation A^*^* of the limit of the sequence (Aj : i G N). The nega- 
tion of A^*^*, denoted -iN'^* , is a lower approximation of S. Let T^N'^* be the 
transducer representing -iN'^*. If the following condition holds 

then we can deduce that M!^ggp has an infinite accepting execution, which 
means that M'^ does not satisfy the property gsp. 



5 Linear Temporal Properties in c<j-Regular Model Checking 

5. 1 Definitions 

We extend the concept of global system properties from regular to cu-regular 
systems. For this, we simply encode state-properties as sets of infinite words 
rather than sets of finite words. We propose the following definitions. 

Definition 23 Given an alphabet S, a cu-state property is a set cop C S'^ 
that can he represented by a deterministic weak Biichi automaton. 

The choice of using deterministic weak automata to represent cu-state proper- 
ties is for technical reasons that will be clarified in the next section. 
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Definition 24 Let COP be a finite set of uj- state properties defined over an 
alphabet S. An cu-global system property over COP is a set gsp C (2'"'^-^)^, 
i.e. a set of infinite sequences of uj- state properties, that can be represented by 
a Biichi automaton. 

Assume a set of a;-state properties COP, and a global system property gsp 
defined over COP. An execution vr = WQW1W2W3W4 ... of an cj-regular system 
M satisfies gsp, denoted vr |= gsp, if and only if cop(w;o)cop(wi) ■ ■ ■ G gsp, 
where cop(w) = {copi G COP \ w \= copi}. We say that M satisfies gsp, 
denoted M \= gsp, if and only if all its executions satisfy the property. 



5.2 Verification 



Assume an ct;- regular system M = (T,, Asg,Tfj), a set of u-state properties 
COP = {copi, . . . , copk], and an u;-global system property gsp defined over 
COP. Suppose that the negation oi gsp can be represented by a Biichi automa- 
ton A^gsp = {Q^gsp, 2^^^, qo^gsp, ^^gsp, F^gsp), and that each copi G COP can 
be represented by a complete deterministic weak Biichi automaton Acopi = 

{Qcopi: ^) QOcopi^ ^copij Fcopi)- 

To test whether M satisfies gsp, we proceed as in Section 4.2 and build a Biichi 
cj-regular system M^^^p = (S", A^^, T^, F") whose executions correspond to 
those of M that do not satisfy gsp. We then check whether M^^g^^^ is empty or 
not. We already provided partial solutions to test whether a Biichi regular sys- 
tem is empty or not, and those solutions directly extend to Biichi tu-regular 
systems. In the rest of this section, we mainly focus on the construction of 

^gsp- 

The main difference between the present case and the one in Section 4.2 is 
that since we are working with infinite-words, we cannot encode the current 
state of the Biichi automaton A^ggp and the current set of cu-state properties 
satisfied only in one position of each word of M. Therefore, we include this 
information everywhere (in each position) of the word. We must also ensure 
that this information is the same for each position (which is needed to be 
coherent with the definition of product between M and A^g^p). We use the 
following augmented alphabet: 



Let Tr, = {Qr, S^, Qor, 6r, Fr), the possibly nondeterministic transducer 
iQ%, (S'^)2, Qg^, A% F^) is built as follows: 
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• The set of states is = Qr x ni<i<fc Qcopi x Q^gsp x 2'"'^^. Instead of the 
Boolean variable, we have to store the state A^gsp and the set COPi G 2 

in each state of T^; 

• The set of initial states Qqr contains elements of the form (goj?, %copx^ • • • > locop^y 
qo^gsp, A), where A is any element in 2^^^; 

• The transition relation is defined by (g^, q'copi^ • • • ; I'copk^ ^i) ^ 
^%{{Qr, Qcopi, • • • , gcopfe, "1, Ai), ((fli, «!, Ai), (a2, Q!2, A2))) if and only if 

■ Q'r e ^r{(1r, «2)) and g^^^^ = dcopMcopi, ai), for 1 < 2 < /c, 

■ 02 € 5^gsp{ai, Ai), which checks that we have a run of A^gsp', 

• The set of accepting states contains states of the form (gj^, gcopi, • • • , ^cop^, 
«!, Ai) with for 1 < i < /c, g^^^^ G F^op^ iff copi G Ai. 

Observe that, since Tr is deterministic weak and the cu-state properties are 
represented by deterministic weak automata, the transducer is also deter- 
ministic weak. 

The initial states of M°'„^„ are those of the following form: 

(w(0), go^g,p, A)(w(l), qo^gsp, A) ■ ■ ■ 

where w{0)w{l) • ■ ■ G -^(A^q), and A is any element of 2^'^^ . 

The set of accepting states of M^^^^ are those of the following form: 

(S X q^g^pX COPi){E X q^g^p x COPi) ■ ■ ■ 

where COPi ^ 2 '^^^ and q^gsp G F^ggp. We directly see that the sets of initial 
and accepting states can be represented by deterministic weak automata. 

Theorem 25 The Biichi regular system M!^ggp has an accepting execution of 
the form tt" = 7r"(0)7r"(l) ... if and only if the execution n = wqWiW2 ... of 
M, where Wi = ns(7r"(z)) (ii), does not satisfy gsp. 



PROOF. Follows from the construction above. 



As already mentioned, testing the emptiness of M^^^^ can be done with the 
techniques developed in Section 4.2. Recall that the definition of the greatest 
simulation relation over M^g^^ is given by the limit of the (possibly infinite) 
decreasing sequence of relations Simo, Sirrii, . . . defined as follows: 



Simo = {K, w^)} Kxw^ G (S'* X S")'^ A cop(nEK)) = cop(nE(M;^)) (3) 
Siruk+i = Sinik fl {(w", W2) G Sirrii \ (4) 
Vu;^.(K,u;^) G ^ 3u;2-«,0 e A (^^;^, u^^) ^ Simk)},'ik G N 



22 



A lower approximation of the limit of this sequence can be computed with the 
techniques introduced in [BLW04a,Leg07]. In the present case, the technique 
requires that each of the Sirrik can be represented by a deterministic weak 
automaton. It is easy to see that SirriQ can be represented by a deterministic 
weak Biichi automaton. However, the fact that Sirrik is represented by a deter- 
ministic weak Biichi automaton does not necessarily imply that Siirik+i can 
be represented in the same way. Indeed, building Sirrtk+i from Simk requires 
projection operations, and there is no theoretical guarantee that the resulting 
automaton can be turned to a weak deterministic one. 



6 Linear Temporal Properties for Parametric Systems : Parametriza- 
tion 

Suppose that we are working with a regular system representing a parametric 
system. Global system properties allow to express communal temporal prop- 
erties of parametric systems, i.e. properties such as "if a process is in a state 
si, then finally some (possibly different) process will reach a state S2. How- 
ever, global system properties cannot express individual temporal properties, 
i.e. properties such as "if the process i is in a state Si, then finally the process 
i (the same process) will reach a state S2". Indeed, global system properties 
can only reason on the whole execution of a system, while individual temporal 
properties require to reason on the execution of one of the processes. In this 
section, we define a new class of temporal properties that allows to express 
individual temporal properties of parametric systems. 

6. 1 Definitions 

In our model, an execution of a parametric system is represented by an in- 
finite sequence of identical length finite words. Each position in these words 
corresponds to the state of a process, also called a local state, and the infinite 
sequences of identically positioned letters in an execution represents a process 
execution. We thus use the following notations and definitions. 

Definition 26 Consider an execution n = W0W1W2W3 ... of a regular sys- 
tem M = {T,, Asg,Ti^) . The jth local projection Hj(7r) is the infinite word 
Wo{j)wi{3)w2{j) ■■■ . 

Given an execution vr = WQW1W2W3 ... of a parametric system, the jth local 
projection Hj(7r) corresponds to the execution of the jth process. 

Definition 27 Given an alphabet S, a local execution property is a set iep C 
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Fig. 2. Local-oriented system properties: an illustration. 
S"^ that can he represented by a Biichi automaton. 

A local execution property lep is satisfied by an execution ir of a parametric 
system at position j, denoted nj(7r) |= iep, if and only if nj(7r) G iep. 

We are now ready to define a logic suited for parametric systems. 

Definition 28 Given a set of local execution properties LEP = {iepi, . . . iepk}, 
a local-oriented system property is a set iosp C (2^^^)*, i.e. a set of finite 
sequences of subsets of LEP, that can be represented by a finite-word automa- 
ton. 

Assume a local-oriented system property iosp defined over LEP. An execution 
TT of a parametric system M satisfies iosp, denoted vr |= iosp, if and only if 
lep(ni(7r))lep(n2(7r)) ■ ■ ■ lep(n„(7r)) G iosp, where n is the common length of 
the words in vr, and lep(nj(7r)) = {iepi G LEP \ Ili{n) \= iepi}. We say that 
M satisfies iosp, denoted M \= iosp, if and only if all its executions satisfy 
the property. 



EXECUTION TT 



The definition of local-oriented system properties is illustrated in Figure 2. 

Example 29 Consider the parametric system defined in Example 9. Given a 
natural i and a state N , the Boolean proposition N[i\ is true if and only if the 
i-th process involved in the computation (i.e. the one whose state is encoded in 
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the i-th letter of the word describing the global state) is in state N. The fact 
that whenever a process i is in state N[i], it will eventually move to state T[i\ 
(n{^N[i]^()T[i]) using the well-known notations for LTL) is a local execution 
property. That this property holds for each process (yi{0[N[i]^(}T[i]) ) is then 
a local- oriented system property. It is easy to see that this property is trivially 
satisfied by the system. Indeed, the transition relation does not allow for a 
process to keep the token indefinitely. 



6.2 Verification 

Consider a regular system M = (J], Aso,Tfj) that represents a parametric 
system, a set of local execution properties LEP = {iepi, . . . iepk}, and a local- 
oriented system property iosp defined over LEP. Suppose that for 1 < i < k, 
lepi is represented by a Biichi automaton Aiep, = [Qeepi, qoiep,, ^eep,, Feep,), 
which is assumed to be complete. We extend the automata theoretic approach 
of [VW86] towards a semi-algorithm to test whether M satisfies iosp. Our 
approach consists in three successive steps that are the following: 

(1) Computing a deterministic finite-word automaton A^iosp = {Q^iosp^ 2^^^, 
Qo^iospy ^^iosp, F^iosp), which is the finite- word automaton accepting the fi- 
nite sequences that do not satisfy iosp, i.e. sequences in ^iosp = (2^^^)*\ 
iosp; 

(2) Building a Biichi regular system M^^^^^ = Ag^,T^, F°-) whose ac- 
cepting executions correspond to those of M that are accepted by A^iosp] 

(3) Testing whether M^^^^^ is empty or not. 

The property iosp being (by definition) representable by a finite-word au- 
tomaton, on can always compute the automaton A^iosp- Computing M^^^^p is 
a much harder endeavor for which we propose the following solution. 

For each automaton Ai^p^, we assume the existence of a complete automa- 
ton A^iepi = {Q^eepi^,qo^eepi,^^eep,,F^eepi) whose accepted language is the 
complement of the one of Aiep^. Consider an execution vr" of M^^^^^. Since, 
a priori, we do not know which local execution property will be satisfied by 
which process, each of the automata Aif,p. and A^i^p. has to be run in parallel ^ I 
with the local executions of the processes involved in vr. So, we need to extend 
the alphabet of M in such a way that each local state is now also labeling by 
a state of each of the A^epi and A^iep-. For each 1 < i < k, running A^£epi 
is necessary since the automaton Aiep^ being nondeterministic, the fact that 
it has a nonaccepting run does not indicate that the corresponding property 
does not hold. 



This can be achieved since the automata are complete. 
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Furthermore, in each position, each property (.epi G LEP might be satisfied 
{Aiep, has an accepting run), or might not be satisfied {A^i^p^ has an accepting 
run). We make a note of these facts by also labehng each position by an ele- 
ment of 2^^^ corresponding exactly to the properties iepi that are satisfied. 
This labeling will remain unchanged from position to position and will enable 
us to run the automaton A^^osp- The next step is to check whether there is an 
execution of M'^^^^^ that is accepting for suitable automata Agep. and A^iep-. 
Precisely, at a given position j in the state, the run of the automaton Ai^pi 
has to be accepting if iepi G lep^- and the run of A^i^pi has to be accepting 
if £epi ^ Isp^, where lep^ is the element of 2^^^ labeling that position. We 
face thus with the problem of checking not one, but several Biichi conditions, 
i.e. a generalized Biichi condition. To do this, we use the fact that a general- 
ized Biichi automaton has an accepting run exactly when it has an accepting 
run that goes sequentially through each of the accepting sets. We now define 
^^eosp- The augmented alphabet is 

S" = Sx n <5£ep, X n Q^iep^y<2^'^^ x2^^^ X {reset,noreset}. 

l<i<k l<i<k 

We thus have two subsets of LEP, the second being used to remember if suit- 
able automata checking for properties iepi (or -liepi) have seen an accepting 
state; the last component of the labeling indicates whether the second of these 
subsets has just been reset of not. We denote by ns(w°), the word w E T,* 
obtained from w"" by removing all the symbols that do not belong to S. 

An execution ir"- = WqWiW2 ... of M"g<jp is an infinite sequence of finite words 
over that has to satisfy three requirements: 

(1) For each i>l (Il^{Wi_i),Il-^{w1)) G Tr, which ensures that the transi- 
tions of M!^g^p are compatible with the transition relation of M; 

(2) For each position in a state, the labeling by states of the Ai^p- form a run 
of these automata; 

(3) The labeling of each position by elements of 2^^^ stays the same when 
moving from one state to the next one. 

We have to build Ag^, F", and in such a way that the three requirements 
above are satisfied. 

Let Tr = {Qr, S^, qoR, Sr, Fr). The possibly nondeterministic transducer = 
(Q^, (E'^)2, q^j^, A%, Fg) is built as follows: 

• Its set of states and accepting states are Qr = Qr and F^ = Fr, respec- 
tively; its initial state is Qqr = Qor] 
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• The transition relation is defined by (assuming nondeterministic automata) 

if and only if 

■ for 1 < z < k, {q%y G A|j(g^, (01,03)) and gs^ep, ^ '^^ep,(gifep,. ^i), ga^^p. ^ 

<^-fepi(?i^fepi5 ^1)5 

■ lepi = lep2, 

■ if lepp^]^ = LEP, then lep^g = ^^^d P2 = reset, or lep^g = I^Pfi 
and p2 = noreset, otherwise, lep^2 = l^p^-,^ U {iepi G lepj^ | g^epa G 
FiepA U {£epi ^ lepi I q^eep.i e -^-.fepj and p2 = noreset. 

Note that at a given position, when all required accepting conditions have 
been satisfied, the choice to reset or not is nondeterministic, which makes it 
possible to wait until the required acceptance conditions have been satisfied 
at each position and then to reset everywhere simultaneously; 

• The set of accepting states is Fr. 

The initial states of M'^^^^ are those of the following form: 

(w(0), gofepi: • • • : ?Ofep,, go^fepi, • • • , go^fep,, lepi, 0, noreset) 
(w(l), gofepi, • • • , (loiepki(lo^iepv " " ' ' ^o^^ep, , leps , 0, noreset) 

{w{n - 1), gofepi: • • • : (loiepk^(lo^iepv • • • ' ^o^^ep,. lep„, 0, noreset), 

where w(0) ■ ■ - win — 1) G Li^As^^) and lep^lep2 ■ ■ ■ lep„ G -^£osp. 

The accepting states in the language of the automaton F"- are those in which 
for every position the last part p of the label is reset, which implies that all 
relevant automata have seen an accepting state since the last "reset" . 

Theorem 30 The Biichi regular system M^^^^p has an accepting execution of 
the form tt"- = 7r"(0)7r"(l) ... if and only if the execution tt = WqWiW2 ■ ■ ■ of 
M, where Wi = ns(7r"(z)) (ii), does not satisfy -^iosp. 

PROOF. Follows from the construction above. 



The system M being locally-finite, M^^^^^ is also locally-finite. We thus have 
the following result that shows that checking the emptiness of M^^^^^ can be 
reduced to solving the regular reachability problems. 
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Proposition 31 The Biichi regular system M^^^^^ = (E'^, A^^, T^, F"") is empty 
if and only if 

PROOF. Same as Proposition 19. 



7 Boolean Combinations and Multiple Alternations for Parametric 
Systems 

7.1 Boolean Combinations 

It is easy to see that one can verify Boolean combinations of global and local- 
oriented system properties (each property being a literal). Indeed, any Boolean 
combination can be turned into another combination that only uses the con- 
nectors for the disjunction (V) and the negation (-i). Properties being defined 
by finite-word and Biichi automata, one can always compute their negation. 
Verifying the disjunction of several properties is direct by definition. 

7.2 Multiple Alternations for Parametric Systems 

In some situations, it is also interesting to consider properties with multiple 
alternations between local-oriented and global system properties. By multiple 
alternations, we mean local-oriented properties that reference global system 
properties and vice-versa. We will not formally characterize the way alter- 
nations can occur, but rather illustrate the concept with several examples. 
Multiple-alternation properties will be specified by combining the notations 
introduced in Sections 4.1 and 6.1. The semantics of multiple-alternation prop- 
erties easily follows from those notations. 

We now propose several examples that illustrate how multiple-alternation 
properties can be reduced to properties with a simple alternation on an aug- 
mented system, a problem for which this paper provided verification proce- 
dures. We consider a parametric system, and assume that each of its processes 
can be in one of the two following states {C,T}. The following property is a 
local-oriented system property: 

ytD{C[i] OT[i]). (5) 
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Indeed, we could think that this property is a local oriented system property. 
However, due to the presence of the 3 quantifier, □(C[2] =^ ^(3i 7^ O^bD 
can reference several processes and is thus not a local execution property. 



The solution we propose is to reduce the property above to a local execution 
property over an augmented system. This is done by introducing new Boolean 
variables in the specification of each process. Those variables can be arbitrarily 
true or false in any moment of an execution. Let us go back to our example 
and assume that we add to each process a Boolean variable "a" that behaves 
as described above. We use a[i] to denote that the variable a is true for the 
process i in the current state, and -^a[i] to denote that it is falsJ^. In this case 
Property 13 can be rewritten as 



Clearly, 0i = Vin(C[?] =^ Oa[i]) is a local-oriented system property, and 
02 = □Vi(a[i] -v^ (3j 7^ i)T[j]) and 03 = □V2(a[2] V -^a[i]) are global system 
properties. 

We now give two other illustrating examples. 
Example 32 Consider the following property: 



This property cannot be expressed neither by a local-oriented system property 
nor by a global system property. The solution is again to reduce the extended 
state property to a state property over an augmented system. We introduce 
a Boolean variable "a" that can be either true or false in each state. Using 
variable "a", Property 9 can be rewritten as a conjunction of local- oriented 
and global system properties. 

^ When we add a Boolean variable, we extend the alphabet on which pro- 
cesses's states are encoded. As an example, if the set of states was given by 
E = {C, T} before the variable a is added, it becomes Sj^} = S x {^a, a] = 
{(C, -la), (C, a), (T, -la), (T, a)} after the addition occurs. As a consequence, any 
automaton defined over S must take this extension into account, which is done by 
dupHcating each of its transitions. As an example, a transition labeled by T is du- 
plicated into two transitions, one labeled by (T, a) and the other one by (T, -la). To 
not lengthen the presentation, we will assume this translation to be implicit, and 



Vin(C[i] ^ Oa[i]) A 
□Vz(a[z] ^ (3j ^ i)T[j]) A 
□Vz(a[z] V -^a[i]). 



(6) 
(7) 




□ (V^OT[2] A3jC[j]). 



(9) 



we write a[i] for (T,a)[i] V (C,a)[i] and T for (T,a)[i] V {T,^a)[i\. 
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□ (Vm[^] A3jC[j])A 
Vin(a[i]^OT[i]) A 
□Vz(a[z] V -^a\i]). 



(10) 

(11) 
(12) 



Of course, we can have several alternations in the same formula. In such sit- 
uations, construction has to be applied for each alternation. Consider the 
following example. 

Example 33 Consider the following property ipi : 



where Buchi^[j] is a Biichi modality which is true if and only if the j-th pro- 
cess satisfies the local execution property ip described by a Biichi automaton 
Buchi^. 

Property (fi cannot be expressed neither by a local- oriented system property 
nor by a global system property. The solution is to introduce two Boolean vari- 
ables "a" and b. Using those variables, ipi can be rewritten as the property ip2 
defined as follows: 



By observing that \/iO(^b[i] =^ Buchi^[i]) is a local- oriented property (The set 
of executions that satisfy b can easily be described with a Biichi automaton) , we 
conclude that ip2 is a Boolean combination of local- oriented and global system 
properties. 

There are also alternations that we have not been able to handle. As an exam- 
ple, we cannot treat a property that has two free-variables or a second order 
variable under the scope of a temporal LTL operator. Such an observation was 
made for a similar logic in [AJN+04,AJNS04]. 



Vin(C[i] ^ 0{3j ^ i)Buchi^[j]) 



(13) 



\fin{C[{\ Oa[i]) A 
□Vz(a[^] ^ (3j ^ t)b[j]) A 
yin{b\i] Buchi^[i]) A 
□Vz(a[z] V -^a\i]) A 
□Vi(6[z] V^6[z]). 



(14) 
(15) 
(16) 
(17) 
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8 Related Work on Verifying Temporal Properties in (cu-) Regular 
Model Checking 



The problem of verifying linear temporal properties in the framework of regular 
model checking has been first addressed in [BJNT00,PS00,Sha01]. However, 
the treatment of this problem in these papers was preliminary and somewhat 
adhoc for very particular kinds of properties of parametric systems. 

In [AJN+04,AJNS04], AbduUa et al. independently proposed an approach 
based on a specification logic called LTL(MSO), which combines the monadic 
second order logic MSO and the linear temporal logic LTL. Properties written 
in the LTL (MSO) logic are local-oriented system properties, where the local 
system properties are LTL properties that can make assumptions on the ex- 
ecutions of the other processes up to some restrictions. The LTL(MSO) logic 
has been designed for parametric systems and is not suited (and sometimes not 
powerful enough) to express very simple properties of many other interesting 
classes of systems such as systems with integer variables (when considering 
a non- unary encoding). The verification procedure in [AJN"'"04,AJNS04] is 
only dedicated to regular systems that are locally-finite and the u;— regular 
framework is not considered. Finally, unlike our local-oriented properties, the 
LTL (MSO) logic cannot be used to express properties which are Boolean com- 
binations of properties written in logics that are more expressive/concise than 
LTL (e.g. PTL [GO03,LPZ85], ETL [Wol82], or /iTL [Var88]). 

In [VSVA05], Agha et al. proposed to use learning-based algorithms [Ang87] 
to verify global system properties of regular systems. The technique they pro- 
posed relies on the computation of several fixed point operators which are used 
to test whether a Biichi regular system is empty or not. The use of learning 
algorithms to make fixed point computation terminating requires to enrich 
the systems with two extra variables. This is a clear restriction since it is 
known that there are many systems for which the set of reachable states is 
regular before the variables have been introduced, but not after. The work in 
[VSVA05] also lacks of a clear description of the encoding of linear temporal 
properties in the regular framework, which is one of the main contribution of 
our work. Finally, we mention that [VSVA05] does not consider the a;— regular 
framework. 



^ The approach in [AJN+04,AJNS04] has been proposed in the same period of time 
as our early work [BLW04b] , whose present paper is an extension of. 
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9 Conclusion and Future Work 



We have presented a general framework for specifying and verifying a large 
class of linear temporal properties for systems represented in the (a;)-regular 
model checking framework. The verification techniques we provide are based 
on reductions to the (a'-)reachability problems. 

Our objective was not performances evaluation. A next step will thus be 
to implement our constructions in several regular model checking tools (e.g. 
T(O)RMC[Leg08], LEVER [VV06], or KMC [KMC]) and compare the per- 
formances. Another direction for future work is to extend our results to the 
verification of computational tree logics properties. It would also be of interest 
to propose criteria to check whether the extrapolation of the simulation with 
the technique of [BLW03,BLW04a,Leg07] is precise. Developing a methodol- 
ogy to decide whether FIFO-Queue and pushdown systems are locally-finite is 
another topic of interests. We would also like to give a formal characterization 
of what are the allowed alternations between local-oriented and global system 
properties. 
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